Would you mind enlightening us? If you're using API keys over TLS+HTTP Basic Auth, storing the plain API key in your database means that anyone with readonly access to the API key table can now use those accounts. (Ignoring IP filtering or something.)
If an attacker gets access to the key table, you are boned. Revoke all your keys. Make the keys worthless; don't take half-measures to try to protect them.
... I agree if you know an attacker has access then you should revoke. Just like if you know an employee has been compromised. But why wouldn't you store them hashed, anyways? So that if an employee has to debug something and selects more than they should, your system is not compromised?
Also, I'd say that a SHA256 hash of a 256-bit key is hardly a "half-measure". Nothing short of compromising your RNG or SHA2 will make those hashes useful to authenticate.
What am I missing?